How to change user account type in Windows…

Posted on July 17, 2014 by BITS

In my previous blog, I’ve emphasized the importance of not using administrator account for everyday tasks, such as reading your email, browsing the web, running your programs etc. In this blog, we’ll look at how to remove the administrator access from the first account that you have created during the Windows installation process.

By default, Windows installation proceeds with the administrator account, amply named “Administrator”. This is the initial account that has full access to the system and installs all the necessary drivers, programs, etc. When the installation is about to be completed, Windows will force you to create a user account with a password. This account name cannot be the name of existing accounts, but other than that, you’re free to choose a name. This first account created is assigned “Administrator” rights by the installation routine and the initial “Administrator” account is disabled. This installation routine first appeared in Windows Vista and continued with Windows 7, Windows 8.x, and presumable will be the same in Windows 9.

Back to the subject on hand and let’s remove administrator access for the first user account created in Windows…

The process is simple enough and the basic steps are:

Create a new administrator account
Login with the new administrator account
Change account type for the “%Default first user%”

There’s no way to know the name of the first account that you’ve assigned on your system. For the purpose of this blog, the name of the first account is indicated by the variable of:

“%Default first user%”

Please substitute this name with your first account you’ve created during Windows installation.

Step 1:
Open up the “Control Panel” and you should see this, if you have “Category” listing selected:

Select “Add or remove user accounts”, note the little shield front of it, under the “User Account and Family Safety” category. The little shield indicates, that using this step will require local administrator access, if your system had not been modified since installation. In which case, the User Access Control (UAC) warning like this will pop up first:

The UAC window on your system will have your first account’s name prepopulated, instead of the shown “%Default first user%” variable. You will not see this warning, if the UAC is disabled.

Enter your password for the account, click “OK”, to see the current accounts on your system:

In this window, click on “Create a new account”:

Choose a name for the new account that is meaningful for you. it can be anything you’d want. For the purpose of this blog, the account is named “Test admin”; substitute this name with your choice. Select “Administrator” for the account type and click on “Create account”, that brings up the current user accounts listing window, with the new account:

There’s no requirements for creating a password for the new account and it is created by the system with no password. In the computer world, no password is a password. Depending on the password policy on the system, you could:

Logon with the new account without password
The first logon will force you to change the password

You have couple of choices for setting a password for the new account:

Set the password using the Control panel
Change password at time of first logon with the new account
Login with no password and change it

In either case, you should set a password that is 6-8 character long, non-dictionary word, include a number, and/or special character.

Log off your account and proceed to the next step…

Step two:
This is a simple step, just select the newly created account, type in the password, and hit “Enter” to login with the new account. Initially, Windows will set up the new account and starts up the new profile.

Step three:
In this step, you’ll remove administrator access from the “%Default first user%”, again, please substitute the this name with your account’s name. As explained earlier, open Control Panel, under the “User Account and Family Safety” category, click on “Add or remove user accounts”:

Click on the “%Default first user%”, substitute this variable with the name of your account to show the available options:

The options include “Create a password” that you could use in “Step one” for setting the password for the new account created.

Click on change the account type:

Select “Standard user” and click on “Change Account Type”:

You’re pretty much done, logoff from the new administrator account. Test the modified account without local administrator access to the system, logon with this account. Your personalization of desktop, shortcuts, etc., did not change. Most if not all programs will run just fine with standard user access to the system. For programs that require administrator level access, the system will popup a UAC warning. You really should consider replacing this program, but that might not be an option. In which case, just enter the password for the administrator account and the program will run.

If removing the administrator access from the “%Default first user%” causing issues with your system and/or limits your productivity, reverse the process in “Step three”.

Malware and why you should be concerned…

Posted on June 19, 2014 by BITS

Malware is any software that disrupts computer operation, gathers sensitive information, or gains unauthorized access to private computer system. Once it gets a hold of your system, it will cause:

Loss of productivity
Embarrassment with customers
Lost sales
Lost data
Substantial financial loss
Frustration and loud swearing…

I’ve been getting questions about how malware infects computers. That made me realize that there is some misunderstandings that the general public has in this area. Certainly lots of information available via the web nowadays on this subject; however, most of the available information is intended for IT people and as such, this type of information requires a certain level of technical knowledge in the area of networks, computer systems, malware, etc. The available information is accurate, but most small business owners have limited time and/or interest in reading through pages and pages of technical information, much less following some and/or all suggested protection for computers.

I cannot really blame small business owners for shying away from reading all the gibberish (to them), that’s available about how to secure small business systems. Nonetheless, they must have some basic understanding of how malware can reach their business systems, in order to prevent getting malware on their computers. I’ll try to use common terms and simple explanations; hopefully, this won’t be that hard to follow…

The malware can reach a computer, laptop, tablet, smartphone in four different venues:

Internet access, wired and wireless
Internet browser
Email clients, in the form of attachment and/or links
Removable storage media, such as CD/DVD, flash drive, etc.

Statistically, 90% of malware reaches the IT equipment over the network while the remaining 10% is attributed to removable storage media. The typical unsecured setup, wired and/or wireless, for internet access would look like this:

Unsecured small business/home system

Why is that important to understand this process? Well, knowing how your business systems may become victimized by malware will help you to prevent it. If knowing this information will simply make you more aware of how to use your small business system, that’s great.

The actual goal of this blog post is to assist in transitioning you from your current set up to a secure business system that looks like this:

Secured small business/home system

The end result has accounted for all four potential weaknesses and removed and/or limited the impact of malware through these venues. Let’s take it step by step on how to eliminate and/or limit the way malware can reach the system.

1. Internet access, wired and wireless

Computer worms and automated scripts for hackers constantly scan the Internet for available services and exploit them automatically, if and when the vulnerable service is identified. For this reason, you should make sure that your computer or network is not open to this type of exploitation from the internet.

Adding a hardware-based broadband router and/or firewall remove the first major venue off the list. The cost for something of that nature would be around a hundred bucks. Something this simple can eliminate up to 10% of online risks through the Internet. The default factory configuration of the broadband routers blocks all Internet access to your system, in another word, just by installing one made your computers 10% more secure. Go ahead and test your computer at ShieldsUP! and confirm if your computer is at risk after you installed the broadband router. ShieldsUp! will scan your computer for available services at no cost. The result of this test should look like this:

Stealth

Please keep in mind that the portable devices, laptops, tablets, etc., require a software based firewall, if and when connected to networks, that are not under your control.

If your system scan does not show the same result, adjust the firewall rules to match the result and/or contact me to do it for you.

Let’s move to the next venues to protect your system from…

2. Internet browser, 3. Email clients, and 4. Removable media

Protection against #2, #3, and #4 venues are principally the same:

2.1 Do not use an administrator account for everyday tasks, such as browsing the web and reading emails.

I do understand and somewhat agree that running your computer with an administrator account does make life easier, especially when the User Access Control or UAC warning disabled, but consider this. If you do that, you’ve just made the hackers/malware life real easy. When you’ve logged on to your computer with an administrative account, any programs that you’ll run will be running under this access rights. And that’s any program, even the ones that you’re not aware that is running in the background such as malware. Do you see just how easy you made it for the hackers? He or she does not need to find a way to gain access to the administrative account; you’ve already given it to them.

The administrator account can also disable the antivirus solution to prevent protecting against the malware. You really should remove the administrator account access from your account that had been created when Windows was installed. Proceed with caution and don’t lock yourself out of your system. Create and administrator account first with a reasonable password for the purpose, name it whatever you want, log in with this account to test it first. Once the new account had been tested successfully, proceed to remove the administrative access for the account that you’ve been using. This step-by-step guidance, titled “How to change user account type in Windows…” can assist you performing this task.

If your program(s) require administrative level of access, you should consider replacing them. If that’s not an option, you’ll need to run the program via the “Run as…” option, that’ll grant administrative access just for the program in question and not the whole system. Alternatively, if you have the UAC enabled, Windows since Vista and later will popup a window for entering administrative credentials, if and when the program requires this access level/right.

2.2 Use caution in browsing the web and reading emails

This is how the majority of malware gets on your computer, about 80% of them. Both the browser and email based malware utilizes social engineering to convince the end user that they must perform some action. End users usually need to click on a link that downloads the malware and installs it. The convincing part can be as simple as offering nude picks of celebrities, or links to your financial institution sites, law enforcement warning, etc.

For social engineering sample and how to be cautious in reading emails, please see this link

Internet browsing on the other hand is a different story due to how the browsers work. All web pages are just scripts for browsers and they are executed under the logged on user’s access rights to the system. Browsing the web with an account that have administrative access to computer is asking for trouble, as explained above in “a.”. So, what can you do, other than not browsing the Internet logged on with an administrator account?

Common sense will protect you in most cases. Certainly, staying away from “shady websites” such as porno, pirated software, MP3 download, and similar sites, will avoid getting malware on your computer. It would nice that this avoidance would secure you from malware, but that’s not always the case. Hackers are smart and know that most people intentionally do not go to these shady sites. As such, they hack legitimate websites and place either their malware and/or link to their malware at these sites. This is called “watering hole” based attack, where the end users don’t suspect that the legitimate sites will install malware on their systems. The legitimate sites that had fallen for this type of malware distribution and they still do. CNN and Facebook are probably the most commonly used websites that had fallen to this malware distribution. Protecting against watering hole based malware is covered in “2.3.” below.

2.3 Keep the operating system and applications updated

Most, if not all malware takes a hold of your computer by exploiting known software vulnerability. Software companies do release updates to remove this vulnerability and you should install it as soon as they become available, be that for the Windows operating system and/or applications installed on your computer. Nowadays, most software has an automatic update feature that will download and install the updates automatically. You should not disable the automatic updates, let them update in timely manner, as they should, to prevent known vulnerabilities of the software to be used against your computer.

Don’t just trust the automatic update that it’ll do its job, sometimes they don’t. Since the majority of the malware reaches your computer through the browser, you should periodically test the security of the browser and its plugins at this link, a plugin installation required:

https://browsercheck.qualys.com/

The Qualys plugin will scan your system for missing patches that includes browser, operating system and applications. The results displayed in your browser with links to the updates. Here’s the results for my system:

Browser:

System:

Applications:

The computer missing updates is vulnerable to exploits, be that Windows PC or in this case an Apple computer. The latter one may not have as many malware as the former one, but nonetheless, it can be exploited just as well as Windows PCs if and when it’s missing updates.

2.4 Purchase and install antivirus product (approximated $50-80), update definition files frequently

This does not require much explanation, I hope. As long as you don’t use an administrative account for everyday tasks, it’s a worthwhile investment. You could also forgo purchasing an antivirus software and use Windows Defender, if you have Windows Vista or later version. The Defender is free with the operating system and provides protection against malware. The Defender and other antivirus effectiveness is greatly increased, if you follow the security recommendation in this blog.

2.5 Removable storage media

Generally speaking, most of the malware on removable media is rather old. An up to date antivirus will stop older malware from infecting your computers. Nonetheless, you should:

a. Disable “AutoPlay” for removable storage media:

In the “Control Panel” select “Hardware and Sounds”, click on “AutoPlay” icon, and select “Take no action” for software and games at the minimum.

b. Scan the removable media:

Your antivirus software by default will ask you, if you want to scan the removable storage media, just say yes…

Following these recommendations will protect you against most known vulnerabilities, about 95% and so far, it costs you about 175 bucks, some time to install, and configure the components.

So, what about the remaining 5%, how does one protect the system against that?

There are other options that can increase protection of the system with additional software. Knowing that sophisticated malware, among other malware, utilizes buffer overflow technics; you need a solution that will protect against this technology. One such software is Microsoft Enhanced Mitigation Experience Toolkit, or EMET for short. This protection is free from Microsoft and easy to configure and just by selecting the default option during installation, it will protect your system against most of the malware relying on buffer overflow technics.

You can also download and install Winpatrol – Scotty for free, which will monitor changes to Windows startup environment. All malware will change this environment and Winpatrol will alert you, if and when the startup environment is about to change. You’ll have the option to deny or allow the change.

With the additional protection installed, your system is protected against 99.9% of malware, provided that you have done and remain committed to following the steps in this blog post. That’s not bad for 175 bucks and some of your time invested. This is pretty much the best that someone, who is not an IT professional can do in today’s environment. Corporations spend millions of dollars, thousands of hours on installation and training, yet they are struggling to get to this level of protection.

If you have gotten this far, that’s great. You’re on your way to have a home/small business system, that will resist most, if not all malware trying to exploit your systems.

This seems complicated, but if you break it down and do one step at the time, apply some patience, it can be done by most computer users. If you run into trouble you can always re-read part of my blog, or contact me for help.

Alternatively, if you are short on time, you should hire BITS to do it for you. Contact Otto via email, or call the office at 203.569.7610. Based on your business needs dictated operational requirements, we can tailor a security protection for you.

Difference between US and EU privacy laws…

Posted on April 5, 2014 by BITS

The difference between the privacy laws in the US and EU can be summed up in couple of sentences.

In the US, the privacy laws are sectoral based and they do not apply to all the industries. On the other side of the pond, the EU have privacy laws that applicable to all industries, including foreign entities.

The difference between the privacy laws requires US companies to comply with EU privacy laws, if and when they do business in the EU countries. This can result in some interesting changes to their websites, when EU citizens visit the company pages.

Take for example this Microsoft website link for people in Great Britain:

Microsoft Download Site for Great Britain

If you click on the link, you’ll see this warning in your browser:

The EU privacy laws requires MS, and pretty much everyone who does business in the EU, to display this message:

By using this site you agree to the use of cookies for analytics, personalized content and ads.

One can select “No, thanks”, the end user stays on the English-GB site, and end user’s browsing activities are tracked.

The warning also ask, if you’d prefer US-English website; let’s take the same Microsoft website link for people in the US:

Microsoft Download Site for the US

If you click on the link, you’ll see no warning in your browser:

End user browser activity tracking is a given within the US, no permission is required…

That pretty much sums up the difference between the EU and US privacy laws on a personal level. Basically within the EU, people need to opt-in for allowing collection of their data, while in the US people by default are opted-in and would need to opt-out, if they object.

At either side of the pond, browser plugins or add-on is necessary to block tracking end user browser activities. For example, visiting either of the websites with the Ghostery plugin active, it’ll block the MS tracking:

PS: This blog looked at Microsoft website links for examples; other US companies have similar website redirection for EU countries.

Why antivirus software cannot protect your computer….

Posted on March 22, 2014 by BITS

Practically everyone relies on antivirus solutions to protect their systems against malware. This blog looks at just how reliable these solutions are against malware? In order to have some meaningful analysis, there’s a need to know the number of new malware per month and the percentage of antivirus efficiency.

Let’s start with establishing the number of malware per month. There are various numbers floating around the internet for this purpose, arbitrarily, let’s use the “Mcafee Labs Threats Report, Fourth Quarter 2013”. Quote from the referenced report:

“McAfee Labs records 200 new threats every minute—more than three every second.”

Let’s not worry about the number of malware not detected by McAfee Labs, just calculate the per month number from the quote:

200×60=12,000 (per hour)
12,000×24=288,000 (per day)
288,000×30=8,640,000 (per month)

That’s a huge number of malware that’s being churned out on the monthly basis as of end of 2013; the number of malware released on today’s date is probably greater. Antivirus, are you up to the task?

The efficiency of the antivirus is measured in the percentage of malware, that is detected, deleted, and/or quarantined. Generally, this percentage is between 95-99 percentile, meaning that it’ll detect most of the malware. Any of the solutions and/or testing sites claiming 100% detection rate for a given antivirus should be treated as bogus.
Let’s look at the different percentages, starting at 97%, and their impact to the number of malware that will not be detected, based on the calculated 8,640,000 new malware per month from the above:

Let’s not dwell on the fact that most malware routinely disables the antivirus solution at hand and/or just exempts itself from antivirus scanning. Nor should we be concerned that minor changes to a given malware would cause non-detection by antivirus solutions. Let’s just go with the best case scenario.

That would be 99.9% detection rate, that still let 288 malware slip through the antivirus protection. The sheer volume of new malware is pretty much the main culprit for the non-detection. Expecting the antivirus solution to provide 100% protection is beyond the capabilities of the software.

So, what can you do?

To start with, keep your antivirus and setup frequent automated update for the virus definition file. There’s nothing on the market that is recommended to replace antivirus solutions. But antivirus needs help…

Augment the antivirus solution with additional protection that can protect against malware, that is not detected by antivirus software. In another word, use layered security protection for your computer. The layer can be as simple as not running your computer with an administrator account. Doing so will prevent most malware to disable your antivirus software and allows it to perform its protective function. You’d be surprise to learn how many malware still relies on old malware routine, once the antivirus software is disabled.

You could also add Microsoft EMET and Winpatrol as additional layer of protection to your system. Even if you just use the default installation of this two free programs, you’ll be better off than most computer users, who just rely on antivirus to protect their systems.

And nowadays, that’s all you can ask for…

Privacy and N.S.A.’s bulk collection of data..

Posted on March 22, 2014 by BITS

A federal judge on December 27 ruled that a National Security Agency (NSA) program that collects enormous troves of phone records is legal. The latest decision, from Judge William H. Pauley III in New York, could not have been more different from one issued on Dec. 16 by Judge Richard J. Leon in Washington, who ruled that the program was “almost Orwellian” and probably unconstitutional.

I leave it up to the legal system to make the final decision, but…

NSA is not directly collecting the data, that is left to private companies. These companies collect data on people, practically “on every move you make”, that made available to other companies for a fee. The collector can be your phone company, wired or wireless, internet service providers or search engines, pharmacies, or whatever you name, it’s all out there. And again, this data is for sale to improve corporation profitability and doing so, the data is no longer private. All NSA is doing is to acquire this data, either for free, or for a fee like any other corporations.

All of this data about you had created a new business, data brokers. Most of these business has little, or no regulatory compliance requirements. These brokers may specialize in certain activities of yours; however, they will all maintain your:

Name
Date of birth
Place of birth
Social Security #
Current and past addresses
Driver license #
Passport
Employment history
Credit history
Etc., etc., etc…

You all know, or should know, how search engines identify you and track all of your activities on the web. (There’s no reason to single out Google as the greatest threat to your privacy, but they do deserve a not so honorable mention.) The search engine companies sell this data to advertiser, who in return peddle their customers’ products to you. The advertisements are so sophisticated, that by the time you click on a link the advertisement, the advertisement is there. The response time for popping up advertisement is measured in milliseconds…

There’s no reason to list well known credit rating agencies, or data brokers. Here’s partial listing of specialized data brokers…

Auto and property insurance reports:
Insurance Information Exchange
Insurance Services Office (ISO) (A Plus Property Reports)

Utilities:
National Consumer Telecom and Utilities Exchange

Medical:
Medical Information Bureau
Milliman IntelliScrips*

*-How a data broker can obtain your prescription history in the world of HIPAA, HITECH, and other federal regulations is beyond me. Especially when the quoted purpose from their websites states:

“Milliman Underwriting Intelligence begins with our market leading prescription history solutions. Milliman IntelliScript delivers complete and current prescription histories that allow insurers to make instant underwriting decisions with confidence.”

If you still believe that “I have nothing to hide”, just remember next time, when your insurance rates are substantially increased, to send a thank you note to Milliman…

How to backup small business data…

Posted on December 9, 2013 by BITS

You’ve probably heard it a thousand times by now – backup your data. If you store business and customer data on your computer (and who doesn’t nowadays?), you need a safe and secure way to back up and store your data. Computers do break and it’s not a question of if, it’s a question of when? And that’s 100% guaranteed…

Backing up your QuickBooks data locally on your computer is not a safe backup. Should your computer decide to crash beyond repair, you’ll loose your backup as well. You’ll need to backup your business data locally in the place of office/business and offsite (in the cloud). Yes, you should have both type of backups. The local backup protects against computer crash, while offsite backup protects data against your office/business impacted by disasters such as fire, flood, etc.

How to back up business data locally?

The simplest way to backup business data is to copy the data to an external storage device. The type of device selected is dependent on the size of the data. The USB flash drive is on option, that nowadays can store up to 256 GBs of data. For most small businesses a 16-32 GBs USB flash drive, for about $30.00, should be sufficient. Once you backup your QuickBooks and/or customer data locally on the computer, then simply copy/paste these backups on your USB flash drive. You can also keep this flash drive with you, after copying the backups, in case your office “disappears”. If you carry the flash drive with you, you should protect it against loss by encrypting the data.

For hundreds of GBs of data an external hard disk drive (with USB, eSATA, etc., interface) should be selected, about $90.00 for one TBs. Most of these external hard drives include software to synchronize and/or backup your data. Once you install and configure the software, the backup takes place in the background, without further interaction with the backup process. You could take the external hard drive with you when you leave the office, but it’s rather bulky and may get damaged, if dropped, magnetic field, etc.

How about the security of the local backups?

It depends on the level of security that your data requires. You could just password protect your QuickBooks and/or customer databases. You could also keep all of your backups in one folder, use WinZip with password protection to the external storage device to store the data. If your business data requires greater protection, you should select a USB flash drive and/or hard disk drive that supports encrypting the backup. Similarly to password protecting files, the encryption relies on a password to protect the data. Some caution about encryption…

Encryption is a double-edged sword; while encrypting data with password is easy, decryption is nearly impossible without the password. If you loose your password, you will not be able to access your data. For this reason, my recommendation is to write down the password and store it in a secure place. No, storing the password at or around your computer is not a secure place. Storing it in your wallet, smartphone, etc., are better suited options.

How about offsite (in the cloud) backup?

The simplest way describing in the cloud back up is to basically copying your local backup to the cloud.

Depending on the size of the data being backed up and your internet connection’s transfer speed, there are number of options available. Some of them are for free, such as Dropbox, Microsoft Skydrive, Google, etc., and provide around 4 GBs storage per account. These solutions requires software installation, they create a folder on your computer, and its content is synchronized to the cloud.

For example, Dropbox software will create a folder named “Dropbox” on your computer. Any changes to the files in this folder are transferred to your account at Dropbox. The simplest way to back up your data into the cloud is to store your local data and/or backup in that folder. Every time there’s a change in to the “Dropbox” folder, it’ll be uploaded to the cloud without any additional steps required. Most of the cloud storage places do encrypt the data on their servers; however, employees of the company can access your data. If you don’t want them to have access to your data, you’ll need to select an offsite solution that provides client side encryption.

Some of the solutions for client side encryption are free, such as SpyderOak upto 4 GBs storage, while others, such as Carbonite, charge a monthly fee for the service. Most of them offer a free trial for 30-day and you should try them to evaluate the suitability of the service for your needs. In either case, they work similarly to Dropbox; they create a folder and synchronize its content to the cloud. The difference is that, if you loose your password for these solutions, the company cannot help you to decrypt your files. As mentioned earlier, encryption is a double-edged sword…

Based on your requirements and technical knowledge level, select the back up type that suits your small business the best and requires the least interaction for successfully backing up your business data. Should you need help in selection process and setting up your backups, please contact us at at our website

How to secure your computer against malware…

Posted on September 26, 2013 by BITS

Securing computers against malware isn’t that hard, at least in theory. It does require basic understanding of how computer works and using common sense approach.

The security protection for computers outlined below:

Use non-privileged user account (no admin) for day-to-day tasks such as email and web browsing

Apply system security and other patches as they become available

Keep application software, such as Adobe PDF and Flash, JAVA, MS Office Suite, etc. up to date with patches

Disable system services that are not required

Uninstall software that is not used

Keep antivirus software definition files up to date

Exercise caution in browsing the web and reading email

This protection can be effective against known malware, that targets system/application vulnerabilities for simple reason. The system has been patched, the antivirus knows about the malware, and the end user is cautious in his/her internet access. Understanding how the malware can get on to his/her system is half of the battle against malware.

Most, if not all, malware uses email, web pages, or combination of both to exploit unsuspecting users:

Email email/web based exploits:

The user receives an email with attachment that exploits and application vulnerability, such as Adobe PDF Reader, MS Office Word and/or Excel, Winzip, etc. The attachment has most of the malicious code; however, it certainly can download additional malware, once it takes a hold of the system

The user receives an email that while it does not have attachment, it contains links to the malware. The link is represented as a “legitimate” website; however, the HTML code under the name of the website redirects the user to a site where the malware resides (also called “spear fishing” read more about it here…)

Web page exploits:

Legitimate websites are hacked and the malware is uploaded to the sites

People visiting the hacked website(s) download and install malware without the user knowledge on his/her system (also called “watering hole” attack)

That’s all good and seems easy to follow, but why so many computers are hacked? The answer is two fold…

The most common answer is likely that the end user did not follow the basic security steps outlined above. After all, we can always point fingers at the end user, right or wrong…

The other answer is zero-day exploits…

The zero-day attacks are based on unknown system and/or application vulnerabilities that yet to be discovered and fixed by software companies. The antivirus software does not protect against these type of attacks, neither do system and application security patches since the vulnerability is unknown. In another word, the computer with latest antivirus and security patches can easily fall victim to zero-day attacks.

“That’s not good, even if I follow these steps, I can still “easily fall victim”. Why should I follow the common sense based security practice? What difference does it make, if I am hacked by known or unknown malware?”

The frustration is understandable, but the common sense based protection does have benefits. A large number of the malware is known and this approach will stop them infecting your system.

Exercising caution in browsing the web and reading emails (#7) can prevent the smaller number of zero-day malware infecting your system. In addition, augmenting the antivirus protection of the system with software that protects against zero-day malware is another option, that can overcome carelessness in browsing the web.

The software that can target protection against zero-day malware is available; however, writing about them will be in another blog…

Capturing online passwords and Antivirus…

Posted on July 24, 2013 by BITS

The “traditional means” of capturing online passwords had been provided by “key-loggers” for decades, that capture every key-strokes by the local users. As of late, Antivirus companies have added additional protection for preventing key-loggers from collecting passwords. This security protection has various names and dependent on the Antivirus company, such as safepay, password manager, etc. Almost all of these protections integrate virtual keyboard, that require clicking on the password and/or using a touchscreen for entering the password, instead of the traditional key-board strokes.

Do they actually work?

The short answer is yes, they could prevent key-loggers collecting the password since the keyboard is not used for entering account information. The problem is that, if the end user computer has a key-logger, the machine also has a root-kit (a requirement to install the key-logger) that has full access to the system, including the Antivirus. As such, the root-kit can routinely exempt itself from Antivirus protection and in theory, it could capture the virtual keystroke as well.

Hackers always seem to be ahead of Antivirus solutions and that certainly seems to be the case for capturing online passwords. Instead of using a key-logger, they have developed a solution that capture the user account credentials by grabbing them with an HTML form grabber. The form grabber “grabs” the authentication credentials from within the browser, where the login credentials are entered. It does not matter, if these credentials entered by keyboard, virtual keyboard, or auto-filled, the form grabber captures it. The malicious package had been released in May, 2013, pretty much around the time when Antivirus companies starting to advertise/claim to secure the end user’s passwords. Coincidence, you might say? It could be… The HTML form grabber also requires a root-kit for its operation, similarly to the key-loggers above.

In both cases, the common need for capturing the end user’s authentication credentials is the root-kit, without it, neither of them can capture the password. The Antivirus solutions would be better off preventing the root-kit getting on the computers, instead of rolling out additional features with dubious claims.

The Antivirus solution, while it is still necessary, requires additional security measures to augment protection against root-kits. Friends, don’t let friends rely on Antivirus protection only…

How to block Windows 8.1 smart search…

Posted on July 16, 2013 by BITS

The previous blog described the inner working of Windows 8.1 smart search, its privacy, and security risks. This blog will look at the ways to block Microsoft tracking the end user’s activities.

The Windows 8.1 preview version does not have an “uninstall” option for the smart search and as such, disabling smart search based tracking requires system and firewall policy modifications.

The easiest way to block Microsoft tracking of the end user is simply not using the smart search, or “Search Charm”. Other searches in the preview version, Windows Explorer, browsers, applications, etc., are not integrated with Bing searches. They might as well be in the final, but not in the preview version.

If that’s not an option, here are some of the ways that can help prevent the smart search dishing out advertisements to the unsuspected end user.

As stated in the previous blog, the “Search & Apps” options can be changed not to receive Bing search results within the smart search; in which case the web search results are not displayed, but the tracking data is transferred to Redmond
Turn off “Windows Location Provider” and “Windows Search”, accessible through the “Control Panel\Add/Remove Programs and Features\Turn Windows features on or off”. This also stops the web search results to be displayed, but tracking data is still transferred to Microsoft
Block access to the destination server via the firewall policy, by DNS name and/or IP address, at the Internet gateway.

Turning off Windows features requires local administrator access and rebooting the system for the changes to take effect. The actual changes are simply removing a check-mark as shown below:

The colors indicate the impact of disabling the feature to the system. For desktops, the “Windows Location Provider” (simply tracking the location of the computer) can be safely removed. Removing “Windows Search” feature will have a performance impact and locating files on the local system will take longer. As such proceed with caution.

When the two Windows features are disabled, the local search still works through the smart search; however, the web search throws an error message:

Is it me, or the second “your search” is not necessary in this message?

The firewall policy can block access to Redmond’s destination server, that does stop Microsoft tracking end users’ activities. The policy is rather simple, such as “source address=any”, “protocol=any”, “destination=Redmond destination DNS/IP”. The local system search results are displayed, tracking data not transferred to Microsoft, and the Web search displaying an error message:

And that’s quite alright… If I want to be bombarded with advertisements, I’ll use a browser…

Windows 8.1 smart search… Is it really smart?

Posted on July 16, 2013 by BITS

The Windows 8.1 preview introduced the “Search Charm”, that includes searching the Internet via Bing:

The default search option is to search everywhere, when the search charm is selected:

The drop down arrow lists the options for limiting the search to the selected area:

Any of the options can be selected that causes the search results to be displayed in the chosen area only.

As the search term(s) entered, highlights of the result are displayed:

The priority is given to local search over the Web search results, that are hyper-linked. Clicking on any of the results brings up the application handling the file type. In this example, the “DDR3 memory.docx” file opens in MS Word in the the desktop; the web link of “ddr3 memory” opens up a Wikipedia in IE11, also within the desktop.

Continuing the search displays the results in full screen, with local search results on the left and the web search results on the right:

The web search results are the same as the Bing’s search results in an actual browser, with one difference. The browser lists the “bing.com/shopping” as the first link.
The order of the web links is influenced by advertisement for the smart search, the same way as it influences the browser search results. Integrated paid advertisement into the Operating System (OS) isn’t new either, arguably, Apple and Google are ahead of Microsoft from this perspective. Right or wrong, it is a business decision by Microsoft that prioritized advertisement revenue, as evidenced by the statements in the search settings:

Integrating advertisement driven search results in the OS does present a privacy risk to the end user. Making the web search integration the default option, while understandable from business perspective, should not be for the end users. Fortunately, Microsoft allows opting out from Bing searches in the OS:

The end users who opted out of Bing searches will receive local system searches only. Kudos for Microsoft for providing and interface that disables the Bing web search integration into the OS.

The question is, does the opt-out really disable Bing web search? The short answer is seemingly yes. Doing a search with the “Everywhere” option selected results in displaying local system search results only.

The long answer is that while web searches are not displayed, the “smart search” continues tracking the end user’s search activities. Anytime the user opens up the “Search Charm”, the OS will:

Establish a TLS 1.2 encrypted connection to a destination server
Once the search term(s) entered, it is sent to Microsoft
The search result of the local system may, or may not being sent to Microsoft
The web search results are not displayed

Microsoft should state that disabling Bing searches does not stop “smart search” from tracking end user activities.

The “smart search” poses a privacy risk to the end user and in addition, it could become a security risk as well. Especially when hackers “re-engineer” Microsoft’s smart search and use it for their malicious purposes. The smart search is nothing else, but a combination of APIs that can be called by malicious software to collect information about the end users.The Bing search results could also be changed on the fly to redirect the browser to a site that hosts the malicious software, prior to connecting the end user to the legitimate website.

In some ways, Microsoft had made it easier for the hackers to exploit the end users. Smart, real smart Microsoft…